Third person arrested over TalkTalk hack, as company reveals extent of lost data

Graham Cluley
Graham Cluley
@[email protected]

TalkTalkEarlier today, British police searched an address in Staffordshire and arrested another person on suspicion of committing computer crime offences in relation to the TalkTalk hack.

According to a press release issued by the Metropolitan Police, a 20-year-old man has been taken into custody at a local police station and the search at the address continues.

The arrested 20-year-old is the third person to be apprehended in connection with the TalkTalk hack, following the arrest of a 15-year-old boy in County Antrim, Northern Ireland, and the arrest of a 16-year-old male in Feltham.

Meanwhile, TalkTalk’s CEO Dido Harding has issued a video statement describing that the extent of the data breach was “much smaller than originally suspected”:

Sign up to our free newsletter.
Security news, advice, and tips.

Here are the statistics that TalkTalk has shared regarding the stolen data:

  • Less than 21,000 unique bank account numbers and sort codes
  • Less than 28,000 obscured credit and debit card details (as previously stated, the middle 6 digits had been removed)
  • Less than 15,000 customer dates of birth
  • Less than 1.2 million customer email addresses, names and phone numbers

Harding says that TalkTalk needs to “work hard to earn back your trust”.

She’s right about that. Trust takes years to build, seconds to break, and can take forever to repair.

I was disappointed to read earlier today that victims of other TalkTalk security breaches, who lost thousands of pounds, are still being told by the company that it does not feel it is to blame for their losses and is refusing to pay compensation.

It’s clear that those people would never have lost money if it had not been for TalkTalk’s sloppy security. The company has failed to work hard enough to regain their trust, and those individuals will – no doubt – never deal with TalkTalk again, and will in the years to come warn their friends and family to stay well away from the firm.

Sometimes companies need to take things on the chin, and take the hit, in order to turn victims into brand advocates.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

5 comments on “Third person arrested over TalkTalk hack, as company reveals extent of lost data”

  1. coyote

    So it was 'much smaller than originally suspected. Okay, but anyone who has been affected really doesn't care if it is smaller or not; they care about being affected. Most people (I would like to believe all but I suppose this isn't the case seeing as how many companies react this way) only care about what was done and really couldn't care less about quantity. The fact customer data was stolen is what matters; it doesn't matter how many customers had data stolen. Of course, the numbers given are quite large (would hate to see their much larger concerns) and that isn't going to help matters. But even if the numbers were significantly smaller (let's say <= 100), to focus on that instead of how to address those affected, is a problem: they should be addressing those affected and they should be working out how to make things better for the future.

    Misdirecting isn't going to help their case. And indeed, trust can be broken in an instant but regaining that trust takes a lot of time and effort, if it ever happens at all.

  2. Peter Hogarth

    I'm no technophobe, but surely if Talktalk know how much data was compromised they also must know whose data is involved, in which case why are the individuals affected not being notified of the fact?
    Or am I making assumptions based on lack of knowledge as to how these things work.

  3. Tragic Kingdom

    It feels like a Saudi Style investigation into the deaths of thousands of pelgrims. You admit to a few hundred dead bodies and as long as nobody is able to connect the dots you do not have to reveal the real numbers. Customers are let to believe that they are within the 20-30,000 group.
    Given the fact that the culprits were teens who can hardly be punished for it, it is a win win situation for anyone. The government, the police, the culprits and the customers who are less likely to run away.

  4. johncrowther

    Argh shurely shome mishtake.

    FEWER not less, Dido.

    1. coyote · in reply to johncrowther

      I'm afraid you're mistaken. Less is correct in this case. If you are curious why, here is a guideline:

      Languages have this interesting complexity in that the rules aren't always as simple as you might expect, and while some of it might be illogical (in your own view), those illogical rules are still well defined. The same applies to exceptions to rules. But 'less or fewer' isn't illogical and there aren't any exceptions.

      Edit: To be fair, there are exceptions but I meant there aren’t exceptions in the context of numbers (less than X customers …).

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.